Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhances validation of HTTP header names #2212

Open
carryel opened this issue Sep 13, 2024 · 0 comments
Open

Enhances validation of HTTP header names #2212

carryel opened this issue Sep 13, 2024 · 0 comments

Comments

@carryel
Copy link

carryel commented Sep 13, 2024

RFC 9110 specifies that only the following characters are allowed within header names:

field-name     = token
token          = 1*tchar
tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                 / DIGIT / ALPHA
                 ; any VCHAR, except delimiters

Grizzly HTTP does not enforce this rule.

1. I think Grizzly should follow this convention for header names.

Consider the following payload: GET / HTTP/1.1\r\nHost: a\r\nIgnore\r\nMy-Header: m\r\n\r\n.

Grizzly's HTTP parser sees this payload as two requests, like so:

GET / HTTP/1.1\r\n
Host: a\r\n
Ignore\r\nMy-Header: m\r\n
\r\n

However, some HTTP parsers (e.g. Nginx, Libsoup, cpp-httplib) see only request, like so:

GET / HTTP/1.1\r\n
Host: a\r\n
Ignore\r\n
My-Header: m\r\n
\r\n

This happens because these parsers either ignore or permissively parse field-lines with no ':', so they see a My-Header header where Grizzly didn't.

2. I think it would be good for compatibility if, when parsing headers, it ignored incomplete field-lines like other parsers do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant